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Abstract 

Splitting a secret s between several participants, we generate (for each value of s) shares for all 
participants. The goal: authorized groups of participants should be able to reconstruct the secret 
but forbidden ones get no information about it. In this paper we introduce several notions of non- 
perfect secret sharing, where some small information leak is permitted. We study its relation to the 
Kolmogorov complexity version of secret sharing (establishing some connection in both directions) 
and the effects of changing the secret size (showing that we can decrease the size of the secret and 
^ , the information leak at the same time). 
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1 Secret sharing: a reminder 



Assume that we want to share a secret - say, a bit string x of length n - between two people in such 
a way that they can reconstruct it together but none of them can do this in isolation. This is simple, 
choose a random string r of length n and give r and r © x to the participants (r © x is a bitwise XOR of 
x and r.) Both r and r © x in isolation are uniformly distributed among all n-bit strings, so they have 
no information about x. 

The general setting for secret sharing can be described as follows. We consider some finite set K, 
whose elements are called secrets. We also have a finite set V of participants. An access structure is a 
non-empty set V whose elements are groups of participants, i.e., a non-empty subset of 2 V . Elements 
of r are called authorized groups of participants (that should be able to reconstruct the secret). Other 
subsets of V are called forbidden groups (that should get no information about the secret). We always 
I/"") \ assume that T is upward-closed (it is natural since a bigger group knows morej]]. 

In our initial example /C = M n (the set of n-bit strings), V — {1,2} (we have two participants labeled 
\ 1 and 2), and T consists of the set {1,2} only. 

In general, perfect secret sharing can be defined as follows. For every participant p G V a set S v is 
fixed; its elements are p's shares. For every k G JC we have a tuple of #V dependent random variables 



Up G S p . There are two conditions: 

• for every authorized set A G T it is possible to reconstruct uniquely the secret k from the shares 
given to participants in A (i.e., for different secrets k and k' the projections of the corresponding 
random tuples onto the ^4-coordinates have disjoint ranges); 

• for every forbidden set B £ T the participants in B get no information about the secret (i.e., for 
different secrets k and k' the projections of the corresponding random tuples onto ^-coordinates 
are identically distributed). 

Various versions of combinatorial schemes were introduced in [S] and [7] . Note that in this definition 
we have no probability distribution on the set of secrets. It is natural for the setting when somebody 
gives us the secret (i.e., the user chooses her password) and we have to share whatever is given to us. 

We consider another setting (as, first in [T!2] and further developed in [5]) where secret is also a 
random variable. Consider a family of random variables: one (x) for the secret and one (a p ) for each 
participant p. This family is a perfect secret sharing scheme if 
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• for every authorized set A the projection a a = {&p,P £ ^4} determines x; 

• for every forbidden set B the projection ub is independent with k. 

These conditions can be rewritten using Shannon information theory: the first condition says that 
H(x\ga) = 0, and the second says that /(erg r x) = 0. Here H(-\-) stands for conditional Shannon 
entropy and /(• : •) stands for mutual information. (To be exact, we should ignore events of probability 
zero when saying that a a determines x. To avoid these technicalities, let us agree that our probability 
space is finite and all non-empty events have positive probabilities.) 

These definitions are closely related. Namely, it is easy to see that: 

• Assume that a perfect secret sharing scheme in the sense of the first definition is given. Then for 
every distribution on secrets (random variable x G K.) we get a scheme in the sense of the second 
definition as follows. For each secret k € /C we have a family of dependent random variables er p , 
and we use them as conditional distribution of participants' shares if x = k. 

• Assume that a perfect secret sharing scheme in the sense of the second definition is given, and all 
secrets have positive probability according to k. Then the conditional distributions of a p with the 
condition h = k form a scheme in the sense of the first definition. 

This equivalence shows that in the second version of the definition the distribution on secrets is 
irrelevant (as far as all element in K, have positive probability): we can change x keeping the conditional 
distributions, and still have a perfect secret sharing scheme. The advantage of the second definition is 
that we can use standard techniques from Shannon information theory (e.g., information inequalities). 

The general task of secret sharing can now be described as follows: given a set of secrets /C and an 
access structure T construct a secret sharing scheme. This is always possible (see [5J 111] V However, 
the problem becomes much more difficult if we limit the size of shares. It is known (see [5]) that in 
the non-degenerate case shares should be at least of the same size as the secret: > #/C for every 

essential participant p. (A participant is essential if we remove it from some authorized group and get 
a forbidden group. Evidently, non-essential participants can be just ignored.) This motivates the notion 
of ideal secret sharing scheme where = j^K for every essential participant p. 

Historically, the motivating example for secret sharing was Shamir's scheme (see [H]). It has n 
participants, authorized groups are groups of t or more participants (where t is an arbitrary threshold). 
Secrets are elements of a finite field F of size greater than n. To share a secret k, we construct a 
polynomial 

P k (x) = k + r±x + r 2 x 2 + . . . + rt-ix 1 ' 1 

where the ri are chosen independently and uniformly. The shares are the values P(xi), . . . , P(x n ) for dis- 
tinct nonzero field elements xi, . . . ,x n (for each participant a non-zero element of the field is fixed). Any 
t participants together can reconstruct the polynomial while for any t — 1 participants all combinations 
of shares are equally probable (for every fc). This scheme is ideal. 

Not every access structure allows an ideal secret sharing scheme. For example, no ideal scheme 
exists for four participants a, b, c, d where the authorized groups are {a, &}, {b, c} and {c, d} and all their 
supersets (see [5J[T3]; it is shown there that every secret sharing scheme for this access structure satisfies 
log#5 b + log#5 c >31og#/C). 

It is therefore natural to weaken the requirements a bit and to allow non-ideal secret sharing schemes 
still having shares of reasonable size. For example, we may fix some p > 1 and ask whether for a given 
access structure there exists a perfect secret sharing scheme where max pe p log #S* P < plog^/C. (The 
answer may depend on the size of /C.) 

Unfortunately, not much is known about this. There are quite intricate lower bounds for different 
specific access structures (some proofs are based on non-Shannon inequalities for entropies of tuples of 
random variables, see [31 117)). The best known lower bounds for sharing m-bit secrets (for some fixed 
access scheme) are still rather weak, like y^-^rn (see [H])- On the other hand, the known upper bounds for 
general access structures are exponential in the number of participants (and rather simple, see [51 111]). 

2 Nonperfect secret sharing 

The relaxation of the perfectness property is natural when efficiency is involved (see [21 HH HO])- Our 
attempt here is to encapsulate existing definitions of non-perfect schemes in the Shannon framework. 
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We consider possible relaxations of the requirements and introduce several versions of almost-perfect 
secret sharing. By this we mean that we allow limited "leaks" of information to forbidden groups of 
participants. We also consider schemes where authorized groups need some (small) additional information 
to reconstruct the secret. Such approximately-perfect schemes are quite natural from the practical point 
of view. Also, the gain in flexibility may help overcome the difficulty of constructing efficient perfect 
schemes which seems related to difficult problems of combinatorial or algebraic nature. 

Let us discuss possible definitions for almost-perfect schemes. Now we want to measure the leak of 
information (or the amount of missing information), and the most natural way is to replace the equations 
H (x\o~a) = and I((Tb ■ x) = by inequalities H{. . .) < e\ and /(. . .) < £2, for some bounds e\ and £2 
(normally, a small fraction of the amount of information in the secret itself). 

The problem here is that measuring the information leak and missing information in this way, we 
need to fix some distribution on secrets, and this looks unavoidable even from the intuitive point of view. 
Imagine that we have 1000-bit secrets, and the sharing scheme works badly for secrets with 900 trailing 
zeros (e.g., discloses them to all participants). If the information leak might not be huge for the uniform 
distribution, since 100 leaked bits are multiplied by 2" 900 probability to have 900 trailing zeros; it can 
however become significant if the secret is not chosen uniformly, e.g. the user chooses a short password 
padded with trailing zeros. 

An interesting question (that we postpone for now) is how significant could be this dependence. One 
may expect that a good secret sharing scheme remains almost as good if we change slightly the distri- 
bution, but we cannot prove any natural statement of this kind. So we have to include the distribution 
on secrets in all the definitions. 

Let F be an access structure. Let k and o~ p (for all participants p) be some random variables (on 
the same probability space, so we may consider their joint distribution). Such a family is called a (not 
necessarily perfect) secret sharing scheme, and its parameters are: 

• distribution on secrets (in particular, the entropy of x is important); 

• information rate, H(k), the entropy of the secret divided by the maximal entropy of a single share; 

• missing information ratio, the maximal value of H(x\o~a) for all authorized A, divided by H{x); 

• information leak ratio, the maximal value of 1(gb '■ x) for all forbidden B, divided by H(k). 

To simplify our statements, we consider asymptotic behaviors and give the following template defi- 
nition of almost-perfect secret sharing: 

Definition 2.1. An access structure T on the set P of participants can be almost-perfectly implemented 
with parameters (p, £1, £2) if there exists a sequence of secret sharing schemes for the secret variable x n , 
such that 

• H(x n ) ->■ 00; 

• the lim sup of the information rates does not exceed p; 

• the missing information ratio converges to e\ as n — > 00; 

• the information leak ratio converges to £2 as n — > 00. 

In this article we introduce several definitions of almost-perfect secret sharing schemes. Two versions 
in the framework of Shannon entropy for which we show that the stronger definition, where we require 
no missing information, gives the same notion; one version in the framework of Kolmogorov complexity. 
We prove that all these approaches are asymptotically equivalent (have equivalent asymptotical rates of 
schemes for each access structure). Hence, we can combine tools of Shannon's information theory and 
Kolmogorov complexity to investigate the properties of nonperfect secret sharing schemes. 

Rather than providing constructions or stating trivial counterparts of known theorems, we emphasize 
our study on the behaviour of such schemes. Simple properties of perfect schemes provide new natural 
questions for nonperfect schemes which are in general not trivial. The main contribution of the paper 
is the proof of few of such natural properties, namely and Proposition 12.61 and Theorem 14.31 for scaling 
down a nonperfect scheme while keeping roughly the same information leak ratio. 

We believe our modest contribution is a small step towards a promising path to discover new con- 
structions and theorems in nonperfect secret sharing. 
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2.1 Definitions 



We consider two different versions of the definition of approximately-perfect secret sharing schemes. In 
the first one. non-perfect secret sharing schemes are allowed to give some information to forbidden groups 
and/or not give authorized groups the entire secret: 

Definition 2.2. Let K, be a finite set of secrets, a (si,£2)-nonperfect secret sharing scheme for se- 
crets in K, implementing an access structure T is a tuple of jointly distributed discrete random variables 
{>c, o~\ , . . . , a n ) such that 

• if A 6 T then H(k\o- a ) < £iH(x) 

• if B T then I{x : a B ) < £ 2 TT(^) 

In this definition, authorized groups may fail to recover at most e\ bits of the secret while forbidden 
groups can not learn more than £2 bits. A probably more natural version of a non-perfect scheme is 
asymmetric: authorized groups know everything about the secret, while forbidden groups can keep not 
more than e bits of information about the secret: 

Definition 2.3. Let K, be a finite set of secrets, a e-nonperfect secret sharing scheme for secrets in K. im- 
plementing an access structure T is a tuple of jointly distributed discrete random variables (xr, ax,..., a n ) 
such that 

• if AeT then H{x\a A ) = 

• ifB^T then I{x : a B ) < sH(x) 

By e-NPS(r, TV, S), resp. {ex, £2)-NPS(T, TV, S), we refer to a e-nonperfect, resp. {ex, £2)-nonperfect, 
secret sharing scheme implementing access structure F for TV-bit secrets with single shares of entropy at 
most S. We use PS(T, TV, S) for perfect schemes, i.e., when it is the case that Sx and £2 are null. 

We now introduce the almost-perfect versions of secret sharing, that denotes an asymptotic sequence 
of nonperfect schemes for a fixed access structure where the leak can be made negligible as the size of 
the secret grows. 

Definition 2.4. We say that an access structure T can be almost-perfectly implemented, with parame- 
ters {p,Sx,£2)> if there exists a sequence of nonperfect schemes in the sense of Definition Wl^ such that 
parameters converge to (p, £1,62). i.e., if 

e^)-NPS(r, N m , S m )) meN s.t. {e^, £ 2 m ) -> {ex, £2) and ^ -t p as m -t 00 

Moreover, we say that T can be almost-perfectly implemented without missing information when the 
nonperfect schemes are in the sense of Definition \2.3[ 

Proposition 2.5. Let T be an access structure and p be a positive real, the following are equivalent 

• r can be almost-perfectly implemented 

• r can be almost-perfectly implemented without missing information. 

This proposition is a corollary of the following result: one can transform a scheme with some missing 
information into a scheme without missing information by increasing the size of shares. 

The natural idea to prove this is to add the missing information to authorized groups. However this is 
already not trivial to implement. Indeed, we want to keep the leak small, hence we can not use a perfect 
scheme to share the missing information. The plan is to "materialize" the missing information and add 
it to each participant. The small amount of information will therefore also increase the information leak 
by a small amount. The proposition tells us that we can indeed achieve a new leak comparable to the 
previous one. 

Proposition 2.6. IfT is an access structure on n participants, then 

3{ex, £ 2 )-NPS(r, TV, S) => 3{e 2 + 0(£iTV2"))-NPS(I\ TV, S + 0{ £l N2 n )) 
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Proof. Assume there is a {e\, £2)-NPS(r, N, S), let us transform it as follows. Take a minimal 
authorized set A 6 F~, by definition it holds that H(x\(Tj\) < EiN. Informally, it means that A lacks 
eiN bits of information about the secret. We materialize this information and add it to A. More 
precisely, we use the following lemma about conditional descriptions: 

Lemma 2.7. Let a and j3 be two random variables defined on the same space. Then there exists a 
variable 7 (defined on the same space) such that _ff(a|/3,7) = and H("/) < 2H(a\f3) + O(l). 

Proof. Let /3 be distributed on a set {bi, . . . , b s }. For each fixed value bj, we have a conditional 
distribution on values of a given the condition fj — bj. We can construct for this conditional distribution 
on values of a a prefix- free binary code c\j , . . . , c m j such that the average length of codewords is at most 
H(a\f3 = bj) + 1 (e.g., we can take Huffman's code). 

Let 7 be the corresponding codeword: if j3 — bj and a = then 7 = cij (the i-th codeword from the 
code constructed for the distribution of a under condition fj — bj). 

Given a value bj of /3 and a codeword cy from the corresponding code, we can uniquely determine 
the corresponding value of a. Hence, we get H(a\(3,^) = 0. It remains to estimate entropy of 7. 

The defined above 7 ranges over the union of all codewords cy (from all codes constructed for all 
possible values of fJ) . The average length of bit strings 

Eij \cij\ = Ei(Ej \ctj\) < Ei(H(a\j3 = bj) + 1) = H(a\j3 = bj) + 1. 

This observation is enough to estimate the entropy of 7. 

The union of all codewords Cy is not necessarily prefix- free even if the codes {cy, . . . , c m j} were 
prefix-free for each value of fJ. However, we can convert any set of bit strings into a prefix-free code by 
a simple transformation: we double each bit in each string, and add at the end of each string the pair 
of bits 01. E.g., a string 00101 is converted into 000011001101. This simple trick converts the set of 
into a prefix-free set c\j such that 

E ij \ C 'ij\ = 2E ij \ C ij\ + 2 

Thus, random variable 7 can be considered as a distribution on this prefix-free set c^ . It is well 
known that for any distribution on a prefix-free set, the entropy is not greater than the average length 
of codewords (it follows from Kraft's inequality). Hence, entropy of 7 is not greater than the average 
length of Cy, i.e., not greater than 2H{a\j3) + 0(1). □ 

We apply lemma [^771 to encode the secret k conditional to the shares of A. Since this random variable 
has entropy at most e%N, the encoding can be done by strings of size at most O(eiN) + 0(1). We add 
this "conditional description" to any participant of A. Now the participants of A can together determine 
the secret uniquely. We do the same for all minimal authorized groups in F~. So, now all authorized 
groups have all information about the secret. 

We added some additional data to several participants (some participants can obtain several differ- 
ent "conditional descriptions" since one participant can belong to several minimal authorized groups). 
However all additional information given to participants is of size only 0(eiN2 n ), hence, the extra in- 
formation is given to forbidden groups is at most 0(ei-/V2"). The size of the shares in the new schemes 
is at most S + 0(eiN2 n ), and we are done. □ 

An interesting open question about almost-perfect secret sharing is to settle whether it is equivalent 
to perfect secret sharing or not: 

Question 2.8. Can we achieve essentially better information rates with almost-perfect schemes than 
with perfect schemes ? 

A weaker form of this question where leaks are exactly zero has been answered by Beimel et al in [3] 
(using a result of Matus where they construct a nearly-ideal access structure, i.e. access structure 
that can be implemented perfectly with an information rate as close to 1 as we want but not equal. In 
fact, with the same kind of arguments we can construct an almost-perfect scheme for the same access 
structure with small leaks but information rate exactly one. 
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Proposition 2.9. There is an access structure which can be implemented by an almost-perfect scheme 
with parameters (1,0,0) and rate exactly one but has no ideal perfect scheme. 

Proof. An access structure T is induced by a matroid M = (Q,C) through s G Q if T is defined 
on the set of participants V = Q \ {s} by the upper closure of the collection of subsets A <Z V such 
that A U {s} £ C (here C is the set of circuits of the matroid Ai.) Let T and T~ be respectively the 
access structures induced by the Fano and by the non-Fano matroids (through any point). In |16j . MatuS 
proved that there exist perfect ideal schemes for T, resp. T~ if and only if $=K. is even, resp. odd. 

Consider an access structure T consisting of disjoint copies of T and T~ . From Matus argument, T 
cannot be implemented ideally by a perfect scheme. Construct a scheme £ consisting of the concatenation 
of two independent schemes: 

• a PS(J", N,N), and 

• a PS{T-, N,M), constructed from a PS (J"", M, M) for #/C = 2 N + 1 (i.e., M = log(2 JV + 1)) 
where we removed one possible value of the secret. 

S is a perfect scheme for T with rate log (^r +1 ) ■ Now instead of using a PS(J r_ , N, M) as second 
scheme, we modify it into a nonperfect scheme by substituting the value of the share "2^ + 1" by any 
other possible value. Now there are exactly 2 N shares. It is not difficult to show that £' is, at most, a 
(jf, 0)-NPS(r, N, N) i.e., with information rate exactly one. □ 



3 Kolmogorov secret sharing 

We denote "the" Kolmogorov complexity function by the letter K . Since most variants are equal up to a 
logarithmic term and our results are asymptotic. For a complete introduction to Kolmogorov complexity 
and to some techniques used here, we refer the reader to the book [Tj)| and to |21j . 

The problem of secret sharing could be studied also in the framework of the algorithmic information 
theory. The idea is that now a secret sharing scheme is not a distribution on binary strings but an 
individual tuple of binary strings with corresponding properties of "secrecy". To define these "secrecy" 
properties for individual strings, we substitute Shannon's entropy by Kolmogorov complexity and get 
algorithmic counterparts of the definition of secret sharing schemes. A similar idea was realized in 
Definition 21 (part 1) in [T] for a special case (for threshold access structures). 

For Kolmogorov complexity there is no natural way to define an "absolutely" perfect version of secret 
sharing scheme. Thus, in the framework of Kolmogorov complexity we can deal only with "approximately- 
perfect" versions of the definition. We define approximately-perfect secret sharing schemes for Kol- 
mogorov complexity just in the same way as we defined [e\, £2)-nonperfect schemes for Shannon's entropy 
(similarly to Definition 12. 2ft : 

Definition 3.1. For an access structure V we say that a tuple of binary strings (s, ai, . . . , a n ) is a 
Kolmogorov (61,62) -perfect secret sharing scheme for secrets of size N if 

• K{s) = N 

• for Ae T,K(s\a A ) < eiN 

• forBi T, K{s) - K{s\a B ) = I(s : a B ) < e 2 N 

We reuse the template of almost-perfect secret sharing, this time in the Kolmogorov setting using the 
above version of secret sharing scheme. Thus, it should make sense to talk about almost-perfect secret 
sharing in the sense of Kolmogorov. 

It turns out that problems of constructing approximately perfect secret sharing schemes in Shannon's 
and Kolmogorov's frameworks are closely related. For every access structure, in both frameworks the 
asymptotically optimal rates are equal to each other. More precisely, we have the following equivalence: 

Theorem 3.2. Let V be an access structure overn participants and p be a positive real, then the following 
are equivalent: 
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• r can be almost-perfectly implemented with parameters (p, £1,22) in the sense of Shannon. 

• r can be almost-perfectly implemented with parameters (p, £1,22) in the sense of Kolmogorov. 

This theorem follows from a more general parallelism between Shannon entropy and Kolmogorov 
complexity. Below we explain this parallelism in terms of realizable complexity and entropy profiles. 

The Kolmogorov complexity profile of a tuple [a] = (aj., . . . ,a n ) of a binary string is defined by the 
vector K ([a]) of Kolmogorov complexities of all pairs, triples ... of strings a,. So, it consists consists of 
2™ — 1 (integer) complexity values, one for each non-empty subset of n strings a^. In the same way we 
define the entropy profile H([s]) of a tuple [s] = (si, . . . , s n ) of random variables by replacing K(-) by 
//(•)• 

Next theorem explains that the class of realizable complexity profiles and the class of entropy profiles 
are in some sense very similar: 

Theorem 3.3. For every v G _1 the following conditions are equivalent: 

• there is a sequence ([s m ])meN of n-tuple of random variables s.t. ^H([s m ]) — > v 

• there is a sequence ([a m ]) m6 N of n-tuple of binary strings s.t. — K([a m ]) — > v 

Note that Theorem 13.51 follows immediately from Theorem 13.61 

We denote "the" Kolmogorov complexity function by the letter K. Since most variants are equal 
up to a logarithmic term and our results are asymptotic. For a complete introduction to Kolmogorov 
complexity and to some techniques used here, we refer the reader to the book [TS] and to [21) . 

The problem of secret sharing could be studied also in the framework of the algorithmic information 
theory. The idea is that now a secret sharing scheme is not a distribution on binary strings but an 
individual tuple of binary strings with corresponding properties of "secrecy". To define these "secrecy" 
properties for individual strings, we substitute Shannon's entropy by Kolmogorov complexity and get 
algorithmic counterparts of the definition of secret sharing schemes. A similar idea was realized in 
Definition 21 (part 1) in [T] for a special case (for threshold access structures). 

For Kolmogorov complexity there is no natural way to define an "absolutely" perfect version of secret 
sharing scheme. Thus, in the framework of Kolmogorov complexity we can deal only with "approximately- 
perfect" versions of the definition. We define approximately-perfect secret sharing schemes for Kol- 
mogorov complexity just in the same way as we defined (e±, £2)-nonperfect schemes for Shannon's entropy 
(similarly to Definition 12. 2p : 

Definition 3.4. For an access structure T we say that a tuple of binary strings (s, a±, . . . , a n ) is a 
Kolmogorov (ex, £2) -perfect secret sharing scheme for secrets of size N if 

• K{s) = N 

• for Ae T,K{s\a A ) < eiN 

• forBi T, K{s) - K{s\a B ) = I(s : a B ) < e 2 N 

We reuse the template of almost-perfect secret sharing, this time in the Kolmogorov setting using the 
above version of secret sharing scheme. Thus, it should make sense to talk about almost-perfect secret 
sharing in the sense of Kolmogorov. 

It turns out that problems of constructing approximately perfect secret sharing schemes in Shannon's 
and Kolmogorov's frameworks are closely related. For every access structure, in both frameworks the 
asymptotically optimal rates are equal to each other. More precisely, we have the following equivalence: 

Theorem 3.5. Let T be an access structure overn participants and p be a positive real, then the following 
are equivalent: 

• r can be almost-perfectly implemented with parameters (p, £1,62) * ra the sense of Shannon. 

• r can be almost-perfectly implemented with parameters (p, £1,52) in the sense of Kolmogorov. 
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This theorem follows from a more general parallelism between Shannon entropy and Kolmogorov 
complexity. Below we explain this parallelism in terms of realizable complexity and entropy profiles. 

The Kolmogorov complexity profile of a tuple [a] — (aj., . . . , a n ) of a binary string is defined by the 
vector if ([a]) of Kolmogorov complexities of all pairs, triples ... of strings a*. So, it consists consists of 
2" — 1 (integer) complexity values, one for each non-empty subset of n strings aj. In the same way we 
define the entropy profile H([s]) of a tuple [s] = (si, . . . , s n ) of random variables by replacing K(-) by 
//(•)• 

Next theorem explains that the class of realizable complexity profiles and the class of entropy profiles 
are in some sense very similar: 

Theorem 3.6. For every v G _1 the following conditions are equivalent: 

• there is a sequence ([s m ]) m gN of n-tuple of random variables s.t. ^i?([s m ]) — > v 

• there is a sequence ([a m ]) m6 jj of n-tuple of binary strings s.t. —K([a m ]) — > v 

Note that Theorem 13.51 follows immediately from Theorem 13.61 

Proof. To prove this result, we convert a sequence of n-tuple of random variables into a sequence 
of n-tuple of binary strings and visa-versa; these conversions will preserve complexity/entropy profiles: 
corresponding tuples of random variables and strings will have similar values in their profiles. 

The main technical tools are the Kolmogorov-Levin theorem 

K{a, b) = K{a) + K(b\a) + 0(log \ab\) 

and the "typization" trick for entropy and Kolmogorov complexity (the same technique as in [TUl 118) 1. 

[Kolmogorov —5- Shannon] Let [a] = (ai, . . . ,a n ) be an n-tuple of binary strings. For a non-negative 
integer c (to be fixed below) we consider the following set: 

T c ([a}) = {[a'} = (ai,. . . ,a'„) : VU C [1, .. .,n],K( au ) - clog |a| < K{c! v ) < K{a v )} , 

which is the set of n-tuples of binary strings whose complexity profile is close to the one of [a] up to a 
logarithmic term. Further we formulate several properties of T c ([a]). 

Claim 3.7. log #T c ([a]) = 2 K ^-°^ K{ - a » for all large enough c. 

Proof. See Lemma 2 in [TU] and Proposition 1 in [TB] . We fix value c so that Claim 13.71 holds (c 
depends on the size n of the tuple but not on K(a)). □ 

Claim 3.8. Vo' £ T c (a),W,V C [l,...,n],K{a' u \a! v ) = K(au\a v ) - 0(log \a\) 

Proof. Follows from the definition of T c (a) and the Kolmogorov-Levin theorem. □ 

Now, define [s] — (si,...,s„) as an n-tuple of random variables uniformly distributed on T c ([a]). 
From the definition of [s] and Claim [3~71 it follows that entropy of all [s] is close to K(a). We claim 
that in fact all components of the entropy profile of [s] are close to the corresponding components in the 
complexity profile of [a]. We prove this property in two steps. At first, we obtain /Can upper bound: 

Claim 3.9. W C [1, . . . , n],H(su) < K( au ) + 1 

Proof. The number of possible values for sjj is the number of possible substrings a! v for a! G T(a). 
Since K(a' v ) < K(ajj), there is at most 2 K ( au ^ +1 — 1 such values for sjj- Shannon's entropy of a random 
variable cannot be greater than logarithm of the number of its values, and we are done. □ 

Further, we prove the lower bound: 
Claim 3.10. W C [1, . . . , n],H(su) > K{a v ) - (9(log \a\) 



Proof. First, consider a' v for some fixed a' € T(a). From Claim ^(a—la^) < K(a-jj\au) + 
0(log|a|), thus su can take at most 2 K ^ a ~\ a v)+°^ o e. values. This is true for all such a' v , therefore 
H{ ST j\ Su ) < Kiajjlau) + 0(bg |o|). 

Then, 

H(su) — H(s) — H(sjj\su) (equality for entropy) 

> K(a) — K(ajj\au) — 0(log \a\) (by definition of s) 

> K(au) — 0(log |a|) (from symmetry of information) 

□ 

Therefore, the random variable [s] has an entropy profile close to the complexity profile of [a] up to 
a logarithmic factor. The first part for the theorem is proven. 

[Shannon — > Kolmogorov] Let s = (si, . . . , s n ) be a n-tuple of random variables. We fix an integer 
M > (to be specified below) and construct some M x n table 

a\a% . . . af 1 

a 2 a 2 ■ ■ ■ a 2 
a n a n ■ ■ ■ a n 

satisfying the following properties: 

(a) The columns of the table (each column is an n-vector) consist of possible values for the random 
variable [s\. 

(b) Different n-tuples are used as columns in the matrix with different frequencies; we require that each 
frequency is close to the corresponding probability in the distribution of [s] . More precisely, for every 
n-tuple of letters (ai, . . . , a n ) 



the column 



V a n j 



should occur in the table Prob[s = (ati, . . . , a n )] ■ M + 0(1) times. 



(c) The table has the maximal Kolmogorov complexity among all tables satisfying (a) and (b). It implies, 
by a rather simple counting argument, that 

K{a) > M ■ H(s) - 0(\og M) 

Denote <Zj = aj . . . af 1 for all i = 1 . . . n (i.e., we set Oj to be the row i of the table.) Let us verify 
that the n-tuple of binary strings a = (ai, . . . , a n ) has a complexity profile close to the entropy profile of 
s multiplied by M. 

Claim 3.11. MU C [1, . . . , n], K{a v ) < M ■ H(sjj) + 0(log M) 

Proof. We extract from the entire table the rows corresponding to U; count frequencies of different 
columns (of size \U\) that occur in this restricted table (of size \U\ x Af). Denote these frequencies by 
fx, /2, . . . (of course, the sum of all frequencies equals 1). Let h be the entropy of the distribution with 
probabilities /i,/2, By Theorem 5.1 in [2T] . 

K{a v ) < M -h + 0(\ogM). 

Further, we use the fact that frequencies fj are close to the corresponding probabilities of s u : 

h = - E t fi lo S fi 

= "Ei (ft + 0(w))log(Pi[l + 0(^)]) 
< H(au)+0(fc) 

We get the claim by combining the two inequalities. □ 
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Claim 3.12. MU, V C [1, . . . , n], K{ au \a v ) < M ■ H (su\s v ) + O(logM) 

Proof. Denote ay = a v ...a,y. We split all positions i = 1...M into classes corresponding to 
different values of a l v . Denote the sizes of these classes by mi, mi, ... By property (c) of the table, each 
Tfi j must be proportional to the corresponding probability: the number rrij of positions i = 1, ...,M 
such that ay = ojj is equal to 

Prob[s„ = a 3 ] ■ M + 0(1). 

Given ay, we describe au by an encoding a\j separately for different classes of positions corresponding 
to different values of a v . Similarly to the previous Claim, we get 

K(au\a v ) < [mjH(su\s v = aj) + O (log rrij)] 
j 

where rrij is the number of columns c of the table where a v — 6tj . It follows that 

K( au \a v ) <MJ2 Jf H ( s u\sv = a,-) + 0(Iog M) = M ■ H( Su \s v ) + O(logM) 

3 

□ 



Claim 3.13. \/U, V C [1, . . . , n], K{a v \a v ) > M ■ H(s u \s v ) - 0(\og |a|) 
Proof. 

K(ajj\ay) = K(a) — K(ay) — 0(log \a\) by Kolmogorov-Levin Theorem 

> MH(s) — MH(sy) — 0(log \a\) by (c) and previous claim 

> MH (st/|sv) — 0(log |o|) Shannon information equality 

□ 

Thus, we have constructed a n-tuple of binary strings [a] whose complexity profile is close to M times 
the entropy profile of [s], up to some logarithmic term. □ 



4 Scaling of secret sharing schemes 

Here, we attempt to show how to scale up and down any secret sharing scheme. The problem consist of, 
given a secret sharing for TV-bit secrets, constructing new secret sharing schemes for £-bit secrets where 
t can be arbitrary large or small. While this task is easy in the perfect case, it becomes much more 
difficult in the non-perfect case when we are concerned with efficiency and information leak. 

4.1 Scaling for perfect schemes 

We present some easy construction for scaling up and down in the perfect case and state what they 
achieve in terms of efficiency (size of the shares). 

Proposition 4.1. Let T be an access structure and X be a PS(T, N, S) then 

(a) [scaling down] For every positive integer £ < N there exists a PS(T,£, S) 

(b) [scaling up] For every positive integer q there exists a PS(T,qN,qS) 

Proof. 

(a) To scale down, we can reuse the same scheme. Simply restrict the support of the random variable 
k to 2 e values and equip this support with the uniform distribution. Authorized groups can determine 
the secret uniquely since it was the case in the initial scheme. Forbidden have no information about the 
secret otherwise they had some information in the initial perfect scheme. 

(b) For scaling up, the new scheme consists of the concatenation of q independent versions of the 
initial scheme. Since the new scheme consists of independent copies (a serialization) of the initial scheme, 
every new entropy value is q times the old entropy value. □ 
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4.2 Scaling for non-perfect schemes 

Scaling up for nonperfect schemes is similar to the case of perfect schemes. 

Proposition 4.2. Let T be an access structure and X be a e-NPS(r, N, S) then for every non-negative 
integer q there exists a qe-NPS(T,qN,qS) 

Proof. Simply reuse the construction of (b) of proposition 14.11 Then a forbidden group can have at 
most qe bits of information about the secret. □ 

Scaling down of the size of the secret becomes non-trivial for non-perfect secret sharing schemes if 
we want to keep the same information leak and missing information. If we can e-nonperfectly share an 
iV-bit secret, then intuitively it seems that we should be able to share one single bit with information leak 
ratio of about e. However this statement is quite non-obvious. Now we formulate and prove a slightly 
weaker statement (it is the most technical result of this paper) : 

Theorem 4.3. For all c e (0, \) th ere exists an integer Nq > such that for every access structure T 
on n participants. If for some e there exist a e-NPS(r, N, S) where the secret is uniformly distributed, 
such that 

• nS < 2 cN 

• N > N a 

there exists a e'-NPS(T, 1, S) with e' = 8e% , where the secret is uniformly distributed 

Sketch of the proof: Construct a new scheme for a 1-bit secret from the initial scheme in the following 
way. Given a e-NPS(T, N, S) for a uniformly distributed secret in AC = {1, ... , 2 N }, take a splitting of 
K, into two equal parts, say ACo and K.\. Then define a new scheme as follows: to share the bit i, take 
a random element of Ki and share it with the initial scheme. It is easy to see that this new scheme is 
indeed a e'-NPS(T, 1, S) for a uniformly distributed secret bit with some leak e' . This leak e' depends 
on the initial choice of the splitting ICq. We will show that there exists one such splitting for which the 
leak is small. 

We first prove a general lemma about discrete random variables. 

Lemma 4.4. Let X be a finite discrete random variable over a k-element set A (with k even) such that 
H(X) > log k — S for some positive 5. Let B be a random subset of A of size k/2 (B is chosen uniformly, 
i.e., each (k/2)-element subset of A is chosen with probability l/( fe / 2 ))- Then for every 7 £ (0,1), with 
probability at least 

_4r 2 

l_2 e £F 

(probability for a random choice of B) we have 

\\Pr[X eB}-±\\ <2r 
(probability for the initial distribution X), where r = 2 fefife • 

(In applications of this lemma we will choose the most reasonable values of parameter 7 .) 

Proof. For each element x £ A, denote by p x the non-negative weight (probability) that X assigns 
to x. Using this notation we have 

H(X) = ^2 -Arlogpz 

A randomly chosen B contains exactly one half of the points x from A. We need to estimate the sum of 
p x for all igB. We do it separately for "rather large" p x and for "rather small" p x . To make this idea 
more precise, fix a threshold 7 > that separates "rather large" and "rather small" values of p x . Denote 
by p~f the total measure of all p x that are greater than this threshold. More formally, 

Pi = H 

Px>7 

We claim that p 1 is rather small. Indeed, if we need to identify some x S A, we should specify the 
following information which consists of two parts: 
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1. We say whether p x > 7 or not (one bit of information). 

2a. If p x > 7, we specify the ordinal number of this "large" point; there are at most I/7 points x 1 such 
that p x i > 7, so we need at most log(l/7) bits of information; 

2b. otherwise, p x < 7, we simply specify the ordinal number of x in A; here we need at most log fc bits 
of information. 

From the standard coding argument we get 

H{X) <l+ Pl log(l/ 7 ) + (1 - p 7 ) log k 

Since H(X) > logfc - 5, it follows that p 7 < lo *t*v . 

Thus, we may assume that total measure of "rather large" values p x is quite small even in the entire 
set A; hence, "large" points do not affect seriously the measure of a randomly chosen B. It remains to 
estimate the typical impact of "small" p x to the weight of B. 

Technically, it is useful to forget about "large" points x (substitute weights p x > 7 by 0) and denote 



Pi 



Px if Px < 7 
otherwise 



Now we choose exactly fc/2 different elements from A and estimate the sum of the corresponding p x . 
Note that expectation of this sum is one half of the sum of p' x for all x £ A, i.e, (1 — p y )/2. It remains 
to estimate the deviation of this sum from its expectation. We use the version of Hoeffding's bound for 
samplings without replacement, which can be used to estimate deviations for a sampling of fc/2 points 
from a fc-elements set, ([?] [section 6]). The probability of the event that the sum exceeds expected value 
plus some r can be bounded as follows: 

^ — ■» — 2t2 4t 2 

Pr[> j p x > (l-p 7 )/2 + r] < e = e ^ 

x£B 

Together with "large" values p x we have 

Pr[2^ Px > (1 -P 7 )/2 + t + p 7 ] < e ^ 

x€B 

Now we fix the parameter r to be equal to one half of the upper bound for p 7 , i.e., r = 2 io^( 7 fc) ■ ^ 
follows that, 

Prl^P. > 1/2 + 2t] < 
From this bound, we can deduce the symmetric bound for the sum of p x in A \ B: 

. , _4x 2 

Pr[ 2^ p x < 1/2 - 2r] < e 

Since A \ i? and _B share the same distribution (the uniform one), this bound also holds for B. Sum up 
the two bounds and we are done. □ 

We are now ready to prove Theorem l4.3l 

Proof, (of Theorem l4.3[) . Let /Co be a random subset of the set of all secrets K. such that \JCq\ — 2 Ar ~ 1 . 
/Co is chosen uniformly over all possible such fair splittings of /C. If x be the random variable for the 
./V-bit secret in the initial scheme, let us define the new secret bit £ as the bit defined by " >c £ /Co" (£ is 
indeed a bit since -ff(£) = 1). Our goal is to estimate H(!;\<jb) for any B £ T be a forbidden group, and 
show it is large. Formally, we want to show that H(£\<tb) > 1 — e' where e' = 8e^. 

First, we notice that for any bit £ constructed as above, /(£ : as) < £ holds for all B (/ T, so we can 
assume that e' < e, i.e, 
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We know that H(x\<jb) is rather large. More precisely, 

H{x\a B ) > N(l-e) 

We introduce some positive parameter 5 (to be fixed later) to separate all values of <tb into two classes: 
more typical values b such that H(x\(Jb = b) > N(l — 5) 

and 

less typical values b such that H(x\<tb = b) < N(l — S) 

Since the entropy if(x|<jg) is large, the total measure of all "less typical" values b is rather small 
(more precisely, it is not greater than |). We do not care about the conditional entropy of £ when b is 
non- typical (the total weight of these b is so small that they do not contribute essentially to H(£\(Tb))- 
We focus on the contribution of H (£|c_b = b) for a typical value b. To estimate this quantity we apply 
lemma WM to the distribution k conditional to <r B = b, it follows that 

_4t 2 9 -N 

H{S,\a B =b)> h(l/2 + 2r) > 1 - 16r 2 with probability 1 - 2e ^ 

for some new parameter 7 > and r = 2 (io^+jv) ■ 

This inequality true for all forbidden group B and any typical share b. Thus if we sum up the bad 
events, we obtain that the following estimation for H{£\(Tb)'- 

H^Wb) = Pt ^ b = h \ H ^WB = b) 

b£S B 

]T Pr[jB=b]H(t\a B =b) 

typical b 



> 



> (l--)(l-16r 2 ) 

> 1 - % - 16r 2 



holds with probability at least 



|r||5p|2e" 



(2) 



where S-p is the set of all possible shares given to the group of all participants. 

Now, we choose our parameters 7 and S to deduce our result and show that our choice is valid. We 
take 



16r 2 = % = -e' = 4e§ 



(3) 



Under these conditions 



log 7 



-N 







M 









(4) 



and 



#(£|B) > l-8es = l-e 1 



We want to find a simple sufficient condition that guarantees that the probability |5| is non-negative. 
To this end we do some (rather boring) calculations. We take the required inequality and reduce it step 
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by step to a weaker but more suitable form: 

that is what we need, see @ 

trivial upper bounds for |T| and \S-p\ 

since e > 2 
by applying log 
since S > 1 
from © and (0} 
since e' < eN 
by assumption 

from ([I]) 

The last inequality (which is a sufficient condition for @ to be non-negative) holds when c < \ and 
N > Nq for some large enough No depending on c. □ 

Notice that in this case we consider schemes where the secret is uniformly distributed since the 
dependency on the probability distribution of the secret is not trivial in the nonperfect case. Sharing 
exactly one bit instead of N seems more difficult. We do not know whether this bound can be improved, 
in particular, can we achieve a leak of O(e) ? The assumption nS — 0(2 N ) points out that the result 
holds for various kind of access structures defined by some trade-off between the number of participants 
n and the size of the shares S of a scheme for A^-bit secrets. 

5 Conclusion 

In this article we introduced several definitions of almost-perfect secret sharing schemes (two versions in 
the framework of Shannon's entropy and another version in the framework of Kolmogorov complexity) . 
We proved that all these approaches are asymptotically equivalent (have equivalent asymptotical rates 
of schemes for each access structure). This means that we can combine tools of Shannon's information 
theory and Kolmogorov complexity to investigate the properties of approximately-perfect secret sharing. 

The major questions remain open. The most important one is to understand: can almost perfect 
secret sharing schemes achieve substantially better information rates than perfect (in classic sense) secret 
sharing schemes? The known proofs of lower bounds for the rate of perfect secret sharing schemes are 
based on combinations of information inequalities; so it is not hard to check that the same type of 
arguments imply the same kind of bounds for almost perfect schemes. Thus, the problem of separating 
the information rates for almost-perfect and exactly perfect schemes looks rather hard. 
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